Get The Latest Insights

By Jessica Ellis | January 17, 2023

QBot was the most reported payload targeting employee inboxes in Q4, according to Fortra’s PhishLabs. This is the fourth consecutive month QBot has led malware activity as bad actors target organizations with a steady stream of high-volume attack campaigns. QBot previously represented the second most reported payload family, trailing behind RedLine Stealer in Q3.

Email payloads remain the primary delivery method of ransomware targeting organizations. PhishLabs continuously monitors payload families reported in corporate inboxes to help mitigate attacks targeting their businesses. Below are the top payload threats to enterprises in Q4.


QBot represented the vast majority of malware attacks in Q4, contributing to 94.46% of total volume. QBot is a versatile MaaS (malware-as-a-service) capable of performing a broad range of actions including stealing financial information and credentials, moving laterally within networks, and more.

QBot is one of many former banking trojans increasingly used by threat actors to install backdoors for malicious software like ransomware. Delivery tactics include phishing lures containing malicious Microsoft Word or Excel attachments, and HTML hijacking campaigns using SVG files to smuggle malicious Javascript onto an end-user’s device. QBot is linked to the Egregor and Black Basta ransomware families.

Below is an example of a phishing lure containing a link to QBot malware. The attacker used a previously legitimate email thread to deliver the lure.


BitRAT was the second most reported payload variety in Q4, contributing to 4.4% of overall volume. BitRAT is a low-cost, ready-to-deploy malware that has grown in popularity within the criminal underground since its emergence in 2021. BitRAT’s capabilities include stealing credentials and delivering ransomware. Recent BitRAT campaigns use previously stolen banking data in phishing lures.

Below is a phishing lure delivering a BitRAT attachment.


Dridex rounded out the top three payload varieties in Q4, making up 0.57% of reports. Dridex is a banking trojan and backdoor capable of form grabbing, key logging, and data encryption. It is also capable of more advanced functions such as atom bomb injection, a code injection technique which abuses Windows atoms tables to infiltrate systems.

Dridex has been largely absent from reports in 2022, with its volume peaking in October. The malware is thought to be the brainchild of Russian actor group Evil Corp and has recently been linked to newcomer Raspberry Robin, a worm with similar functionality and infrastructure.

Below is a phishing lure delivering a malicious attachment infected with Dridex.

Other malware varieties reported in Q4 were Agent Tesla, Emotet, Formbook, and LokiBot.

Malware continues to result in data and financial loss, and is often used as initial access in ransomware attacks. Malware varieties frequently fluctuate in activity, as functionalities are improved upon and new tactics are adopted. Fortra’s PhishLabs monitors payload activity so that organizations may better prepare for and prevent these types of attacks.

Learn how PhishLabs protects against threats targeting corporate inboxes here.